Technical Analysis: Black Basta Malware Overview

DOWNLOAD THE FULL ANALYSIS

INTRODUCTION

Quadrant was recently able to aid a client during an organization wide compromise by the Black Basta ransomware group. This group is a “Ransomware as a Service” (RaaS) organization known to target medium and large companies. The following contains an overview of the compromise as it progressed, as well a technical analysis of the malware and techniques observed, ranging from a successful phishing campaign to the attempted ransomware detonation. Although some exact details of the threat actor’s actions are still unknown, the evidence gathered has allowed for inferences into many of the gaps. The names of all clients, all accounts, and some files have been modified for client confidentiality. Indicators of compromise, including malicious domain names, have not been modified. Any log modification has been made to redact client information, break potential links, or for readability.

RELATED TO THIS STORY

• EXPERT INSIGHTS: BLACK BASTA BACKEND OPERATIONS
• PODCAST: BREAKING BADNESS – QUADRANT SECURITY | BLACK BASTA SPECIAL REPORT

• CASE STUDY: THWARTING BLACK BASTA

The timeline below shows a high-level overview of the incident:

Image

INITIAL ACCESS

The Threat Actor began this attack by compromising a user account at a third-party vendor (TPV). Although little is known to Quadrant about the compromise on the TPV, access allowed for the use of an "info@" account. The use of such an account would have allowed the Threat Actor to pose as the compromised user without creating extra "junk" in the user's inbox which could raise suspicion. Following initial phishing emails, the threat actor continued to submit additional phishing emails to the client via similar account names from different domains. Both samples reached their victims shortly after noon on the 20th of September

The phishing emails contained what was later determined to be "Qakbot," a sophisticated trojan. Following the infection, these hosts began to beacon on out to over 100 IP's using various ports. The client’s Cisco “Advanced Malware Protection” (AMP) detected a connection with one of these IP's over TCP port 2222. Although this did trigger an alert in AMP, the Quadrant ingestion of these logs was not configured, so this did not generate an alert through the Sagan Solution.

The Suricata engine did detect these connection attempts, however no alert was raised by the Packet Inspection Engine. Quadrant monitors companies' ingress and egress traffic using onsite Packet Inspection Engine (PIE) appliances running the Suricata Detection engine. Although many other rulesets are used to screen for malicious activity, Quadrant has custom rules in place to detect SSH over nonstandard ports, such as TCP 2222. These rules did not fire due to the absence of an SSH header in the traffic. One may assume that traffic over 2222 would be SSH traffic, however further analysis of the traffic generated by the Qakbot Sample in the lab shows that this connection was likely HTTPS in nature.

Eventually, the malware was able to find an active C2 server. It took about 35 minutes between initial infection and the first successful communication between a compromised host and the C2 domain. The second stage payload, which was later determined to likely be the penetration testing framework "Brute Ratel," was then downloaded via a connection to an IP from Russia.

PERSISTENCE AND ESCALATION OF PRIVILEGE

Following the compromise of two hosts and gaining a foot hold, lateral movement began. The client's full infrastructure is comprised of three domains: Construction, Commerce, and a Subsidiary. Both initial compromised hosts were in the Construction environment. These domains had shared trust and were connected via VPN tunnels which allowed the threat actor to move freely between domains. 

We believe that multiple methods and tools were leveraged in order to do this. At this point, visibility becomes muddled due to the focus of observation and detection is ingress and egress traffic. However, following the investigation into the recorded logs and the follow-on detailed analysis of malware samples, we can make educated guesses on some of the missing pieces.

Initial lateral movement and the lay of the land was likely conducted using Brute Ratel. This was determined through a review of files found on one of the initially compromised hosts. One file, "zfgufgfvezdnbcvjkzctpvfdj.dll," matches the hash of previously submitted Brute Ratel samples.

Due to the lack of visibility, we were unable to find the initial connection from the two "Patient Zeros" to the local Domain Controller. However, after reaching the local DC, the attacker was able to gain a better lay of the land and observe the presence of the other two domains.  

Initial Command and Control was conducted from "23[.]19[.]58[.]43"[zedorocop[.]com] and "23[.]106[.]160[.]141" [danimos[.]com]. The IP’s used for C2 and the level of interaction changed over time as the compromise grew.  For example, mid-stage infections showed calls to "146[.]70[.]86[.]44"[gerhiles[.]com]. It’s important to note that the FQDN’s that were used as C2 were all registered the same month as the compromise. 

Multiple administrative and system accounts were compromised during this incident. One possible explanation for this comes from “Kerberoasting”. This technique was observed in the Commerce environment through a sharp incline of Kerberos requests using RC4 encryption. We do not believe that this was successful in this environment, due in part to the lack of additional signs of compromise specific to this Domain. However, this technique was likely performed on the other two client domains where visibility gaps existed. This is further supported by the source and destination of these requests were cross domain: The source of the “Kerberoasting” was based in the Subsidiary environment and the Domain Controller that was attacked was in the Commerce environment. 

Once administrative access had been achieved, the threat actor also added new administrative accounts to the environment. 

PROPAGATION

Unknown to everyone but the attacker, multiple files were being transmitted throughout the environment:

Two file names were observed during the incident "Client_s.exe" and "Client.exe." It is expected that the different naming schemes are related to the different variations of the Black Basta ransomware. Although no sample was able to be provided for the Client.exe (which is believed to be the ESXi variant), Quadrant was able to obtain a copy of "Client_s.exe" for Windows hosts.

Two ".bat" files were sent throughout the organization. Both were designed to turn off antivirus and anti-malware software. One does not use any obfuscation and just contains the simple command to stop Cisco AMP Orbital. This could indicate that it was written hastily in order to get it onto the target environments quickly. The other, targeting Windows Defender, required multiple steps in order to view the commands.   

Tox5, which appeared to be a component of Cobalt Strike, as well as Cobalt Strike beacon with the name of "Ticket-5731.xls."

These files continued to replicate throughout the organization though the use of Server qMessage Block (SMB), eventually spreading to almost every endpoint and server in two of the three domains. The attack on the Commerce domain does not appear to have been effective, outside of one host in a training environment. Most hosts in the Commerce environment HAD more restrictions placed on their operating system by default which likely contributed to the lack of success by the threat actors in the Commerce environment. 

EXFILTRATION

Once a file server was identified, an FTP connection was established to an external site. This was not used for C2 activities but only for receiving the exfiltrated data. Suricata logs show that “RClone” was downloaded on the file servers in order to facilitate exfiltration of the logs. RClone is designed to transfer large volumes of data from one host to the cloud with ease. This legitimate program was abused by the attacker to steal client data.  

DETECTION AND RESPONSE

The most critical asset of the Security Operations Center is the human SOC Analyst.  A human can look at the totality of a situation and make a judgement call that no AI or automated process can. From the analyst's perspective, the only alert that was generated and brought to the SOC was a Suricata FTP rule looking for CVE 1999-0911, related to an overflow using the MKD command. This FTP command is defined as "...causes the directory specified in the pathname to be created on the server. If the specified directory is a relative directory, it is created in the client's current working directory."

Although many old signatures are decommissioned or otherwise suppressed, Quadrant leaves some rules in place as "hunting" rules. These are more focused on the overall techniques or "odd" traffic that could be an indicator of compromise. In this case, the analyst investigating the alert observed that this was technically a False Positive, as the command was not used in an abnormal fashion. However, looking at the destination, which had not been previously observed in the environment, the file names (which were quite varied), and the volume of the files outbound, the analyst decided to call the client to err on the side of caution. Had the analyst not conducted their due diligence or had this archaic signature been suppressed, it is highly likely that this compromise would not have been detected until after the encryption process had begun.  The current list of rules developed following this incident can be found in I

The alert was submitted at 18:27 EDT on 9/21/2022. Just over 30 hours after the initial infection.

The client determined it to be out of the ordinary but was unaware of the extent of the compromise. However, during the course of the evening, it became apparent that something was greatly amiss. The following morning, the client’s CISO contacted the Quadrant team to report that there was indeed an active compromise within their environment.

The client provided malware samples from the phishing emails and the analysis began. Threat hunting was conducted within the logs.    A dedicated “out of bands” communications channel was established between Quadrant and the clients.  As more evidence was uncovered, the full threat began to be realized. 

One aspect of the actions taken by the Incident Response team was a live log review. The term "look for anything suspicious" is often a nightmare of a request, because how does one truly define suspicious without a base line. However, with the amount of knowledge of the situation and years of experience on his side, a member of the I.R. team decided to look at the raw logs in real time to see if anything stood out.   Windows Event logs and “clipboard” logs are collected using NXLog Enterprise.  While clipboard logs are not stored on the local host, they are sent to the Sagan Log Analysis Engine for further analysis and retention.  While examining this data, the I.R. team member became aware of the use of RDP by the Threat Actor by observing RDPClip.exe logging that looked, by definition, incredibly suspicious.

Among the many “clipboard” logs observed, "Client.exe -bomb," stood out. Although the full extent of the command was not realized at the time, due to the implied malice it was decided that now was the time to attempt to purge the threat actor.

The Clients response team locked out the accounts that were known to be compromised. However, the threat actor had complete control over the environment. Following the initial attempt to lock out the threat actor, the threat actor retaliated.  This resulted in a catastrophic lockout of the client's staff and administrators.

This was not completely unexpected.   Knowing that there was an ongoing data exfiltration attempt along with a full network compromise with a relatively short “dwell” time, plans had been put into place to restrict all access to the network in order to mitigate and prevent the threat actor from doing more damage.  The client's staff was simply waiting on the “order” to halt the network.

After quick conference between Quadrant and the client, all parties agreed and the decision was made: At approximately 8:45pm on September 22, only 56 hours after the initial phishing email had been opened, the physical cables from between the domains as well as their connection to the Internet were pulled.

Because of the observation, hunting, and superior teamwork between the Quadrant team and the client, only a handful of ESXi servers were encrypted. Had the team not taken action to sever the Internet and domain connections, the encryption command would likely have replicated throughout the Construction and Subsidiary environments. With the assistance of a third-party incident response firm and constant ongoing contact with the Quadrant team, the client was able to slowly, systematically, and safely bring their servers on-line while purging any remains of the threat actor over the course of the next two weeks. 

Ultimately, this was considered a success in defense of the client. But there were many lessons learned. Through the later review of the logging and after-action analysis of the event, more detections rules have been created to better alert on what visibility does exist in this, and many other, client environments. 

TECHNICAL ANALYSIS

INITIAL ACCESS: QAKBOT INFECTION

The two phishing samples provided by the client show two different techniques:

Email response as part of an Email Chain:  "Re: RE: Logistics":

The phishing email came from a legitimate vendor "stoneworkers". The phishing attachment was submitted to the target in a response to an ongoing conversation that was being held between a member of Quadrant’s client and the TPV. The attacker submitted the email from "info[@]stoneworkers[.]org" while posing as "jpeterman[@]stoneworkers[.]org". The email had applicable context and the email chain contains back and forth to another member of the TPV as well.

Cold Email: "Solution for Issue 37":

The phishing email came with no pretext from a site not used by the client. However, it is important to note that the site seems to be owned by a legitimate venture capital group, which may indicate a compromise of their organization or that the email account was spoofed. The attacker submitted the email from "support[@]capitalizedadventures[.]com" while posing as "Jay Peterman". 

From the two phishing emails, both attachments contain similar malware. Only changes to the filenames and corresponding commands were observed between the two.

When downloaded, the initial attachment is a local HTML file. The web page claims to be an adobe site and that the attached document is a PDF which is password protected:

Using the password "abc888" to unzip the attachment, the user is presented with an ISO file. The two samples produced different ISO names:  Claim_Copy_1796.iso and Claim_Copy_5898.iso.

The subdirectories to the fathomed directory, elude, omicron, and shabbily, are all empty as confirmed by navigating to them and running "ls -a" and returning no files. This was verified through "du -h" which resulted in 4.0k size, which is consistent of an empty directory.

When opened in a Windows environment the following is displayed:

Image

The ISO mounts as a DVD Drive. The "Claim_Copy" shows the icon for windows file explorer. Clicking on these calls the corresponding JavaScript file contained within each iso.

Image

In both cases the JavaScript files set several variables before running the ".cmd" file contained within the ISO. This is likely done as a method to avoid detection from Log Analysis Engines, such as the Sagan Engine, as well as other monitoring services such as Microsoft's Defender or Sentinel.

Image

The command is called with echo off, so that no text will be displayed to the user. Ultimately, this CMD file calls the "db" file. In both samples, the "db" file is not a database, but is the actual Qakbot trojan.

Image

Something interesting to note: the "campus.txt" contains an excerpt from "Through the Looking Glass" by Lewis Carol. This inclusion may be to add easily changeable padding to the ISO. Doing so would allow the easy addition or subtraction of data in order to change the ISO’s hash value without changing any important content of the executables.

Following detonation of Qakbot, the malware copied itself to "$CURRENTUSER\AppData\Roaming\Microsoft\Isoaahffo\djkuuhd.dll," as confirmed by the file's hashes shown below, and sets itself to auto run. Following this, the malware begins to beacon out to hard coded C2 servers. A breakdown of the observed IP’s and their ports can be found in the INDEX A below. This contains over 100 IP’s for potential C2 servers.

Image

During the initial detonation of 5898, the process imbedded itself into wermgr.exe, the Windows Error Reporting Manager (Process ID 6660).

Image

Image

Image

Further analysis of the registry keys added by the sample were able to be decrypted by leveraging the decryption script found at the link "https://github.com/drole/qakbot-registry-decrypt". These show the full path to the dropped file "xjkuuhd.dll" as well as the Qakbot campaign identifier: "obama206."

Image

Image

As with the case with other Qakbot investigations, multiple potential IP’s were observed during the testing. During the incident, the first warning sign of compromise came from the victims Cisco Advanced Malware Protection alerting. Cisco AMP detected an attempt to contact "76[.]169[.]76[.]44"[Van Nuys, CA] over TCP port 2222. It is interesting to note that other IP’s were attempted to be reached over port TCP 2222, however, this C2 node was the only IP to return any data over TCP port 2222, which may be why this alert triggered. According to Suricata logs, this was also the first IP that was reached out to via 2222. A later review of the logs revealed that the first attempt to contact the C2 ip’s ("61[.]70[.]29[.]53"[Taiwan]).

Image

Due to TCP port 2222’s common use as an alternate port for SSH communication, the Malware Analyst recorded a manual SSH connection to the emulated C2 host in order to show the difference between an SSH connection and the connection made by the Malware sample. Evidence suggests that the sample does not communicate over SSH and the communication is consistent with HTTP/S traffic.

Image

The malware analyst attempted to connect via SSH to the emulated C2 host. Note the first packet from the experimental machine to the emulated C2 device following the 3-way TCP handshake shows header information containing the OpenSSH client information. This was produced manually as an example of an SSH connection while SSH was running on the emulated C2 host on port 2222. An overview of the lab setup and tools can be found in INDEX B.

Image

While continuing to run the SSH client on the emulated C2 device, the malware was detonated on the VM, we can see that the same packet following the 3-way handshake no longer contains SSH information but is detected as a Client Hello.

Image

The emulated C2 Server is now running an HTTPS server on TCP port 2222. This PCAP above shows the conversation from the 3-way handshake to the resetting of the connection.

Following observation of the malware samples, we now know that most of the connection attempts to the C2 IP’s are conducted over TCP port 443. Because of the common use of this port, and the use of TLS in these connections, both attempts and the successful connections went undetected by Suricata and Cisco AMP.

Many of the connections over 443 resulted in minimal connections consistent with nothing more than TCP negations.  However, IP’s "119[.]42[.]124[.]18"[Thailand] and "193[.]3[.]19[.]37"[Russia] showed multiple packets and data transferred, including the exchange of TLS certificates. The size and length of connection indicates that the second stage was downloaded from "193[.]3[.]19[.]37"[Russia].

Image

The largest connection between P0 and the C2 domain. Because of the amount of data outbound, this also may indicate some data exfiltration or interaction with the downloaded second stage from the C2.

POST-EXPLOITATION TECHNIQUES, TACTICS, AND PROCEDURES

COMMAND AND CONTROL

Initial Command and Control was initially conducted from "23.19.58.43"[zedorocop[.]com] and "23.106.160.141" [danimos[.]com]. The IP’s used for C2 and the level of interaction changed over time as the compromise grew.  For example, mid-stage infections showed calls to "146[.]70[.]86[.]44"[gerhiles[.]com]. It’s important to note that the FQDN’s that were used as C2 were all registered the same month as the compromise.

Image

 

POTENTIAL COBALT STRIKE INSTALLATION - TOX5.EXE

Initial static review of the tox5 sample did not reveal much information, indicators show that this may have the ability to clear event logs.

Image

 

A dynamic analysis of "Tox5" shows the malware drops itself in a randomly generated name folder under the "ProgramData" directory and adds itself to a scheduled task.

Image

 

Image

 

During the lab testing of the tox5 sample, we observed the sample gain persistence through duplication of the sample. This is observed below by comparing the file hashes for "tox5.exe" and "C:\ProgramData\lplshr\basinqt.exe."

Image

 

Image

 

Image

 

Although no obvious signs of compromise were apparent to the user of the infected host, a review of the network traffic from the host showed the newly installed program reached out to "gerhiles[.]com", which had been observed during the incident as a Command and Control site.

Image

 

Following the resolution of gerhiles[.]com, and the activation of "INetSim" to simulate a website, the PCAP above shows connections were attempted over port 4001.

Image

 

Leveraging "netstat -a -n -o" revealed the PID of the service connecting on port 4001. Task manager was then use to reveal the service running on PID 3488, which was renamed instance of Tox5.

Because of the beaconing activity, persistence, and apparent ability to wipe event logs, it is likely that tox5 is a component of Cobalt Strike or similar framework.

LATERAL MOVEMENT: SMB AND RDP

Brute Ratel allows for lateral movement leveraging RPC to create SMB traffic. Although no direct RPC actions were observed, possibly from lack of logging or the method of RPC use, multiple logs throughout the incident show the transfer of files using SMB. Logging shows actions taken by the attacker that were recorded by RDPClip in the form of clipboard logging, indicating the use of Remote Desktop Protocol.[CI1] [SD2]  After the connection to the internet and shared domains were severed, automated processes continued to propagate malware.

Files commonly observed transferred via SMB include:

• Black Basta Ransomware  "Client_s.exe" and "Client.exe"
• Cobalt Strike beacon with the name of "Ticket-5731.xls"
• ".bat" files designed to disable Cisco AMP / Microsoft Defender
  • W.bat
  • Cc.bat

Image

 

Clipboard logging Showing the Transfer of Cobalt Strike Beacons using RDPClip:

The first part of the command is below, with the payload redacted for size and ease of readability. This occurred immediately following the clipboard transfer of the command "net stop Cisco AMP".

Image

 

Image

 

The second encoded Base64 string was not only base64 but also Gziped for size and obfuscation. This shows the decoded and uncompressed data.

Image

 

Leveraging the Cobalt Strike payload decoder from Github user "0xtornado" shows that the payloads were sent using the user agent below.

Image

 

Additional Files and commands observed transferred detected via clipboard logging:

The following 31 commands were ran between Sep 22, 2022 @ 20:01:39.000 and Sep 22, 2022 @ 20:02:46.000. The syntax indicates these are the commands used to reset the administrative passwords following the attempted lock out of the threat actor.

Image

 

According to Google translate, the Russian phrases translate to "bury along the way" and "launch with balloons". This may be direct translations, however adding any additional character following the Russian phrases changes the translation to "Lock on Path", and "launch with balls" respectfully. Also note the use of "-forcepath" and "-bomb".

Image

 

A search of Active Directory for users whose passwords never expire, and the last set date while writing to a file for later exfiltration:

Image

 

Stopping Cisco AMP /  Disabling Microsoft Defender, these are the same commands as observed in the ".bat" files:

Image

 

Transfer and use of Ticket-5731.xls (determined to be Cobalt Strike):

Image

 

Url to download "cob_12.dll" and "tox5.exe". Although cob_12.dll was not collected for technical sample, tox5.exe was reviewed:

Image

 

Clipboard logging showing the “uninstall” commands for Windows Defender:

Image

 

Adding an Admin to ESXi environment:

Image

 

Domain Controller detection:

Image

 

Connection attempt to a "SH/WEB" domain:

Image

 

Command showing the use of "Bitsadmin" to transfer the Black Basta Ransomware:

Image

 

Connection from Client by threat actor:

Image

 

DISABLING ANTIVIRUS/MALWARE SOFTWARE USING ".BAT" FILES

The two ".bat" files that were sent throughout the organization were both designed to turn off Antivirus and Antimalware software. It is interesting to note that “cc.bat” does not use any obfuscation and just contains the simple command to stop AMP Orbital. This could indicate that it was written hastefully in order to get it onto the target environment.

"cc.bat" is a simple script designed to stop Cisco AMP.

Image

 

“W.bat”, on the other hand, has some simple but clever obfuscation in place. When using "vim” or another text editor, the .bat file appears to contain Chinese characters. However, performing "cat" or "strings" reveals the actual data. This uses a mixture of disguising the ASCII as UTF-16 via manipulating the start of the file, as well as obfuscating the data using a simple cypher. The strings of characters following "set" act as the key. When the script is executed, the system will swap out the numbers in the body for the place in the key string. The link from Superuser[.]com in INDEX D goes into more specifics on how this is done.

"w.bat" as viewed through a text editor. For this example, the text editor "vim” was used to open the file:

Image

 

"w.bat" as viewed through the bash command "cat":

Image

 

After copying and pasting the body of "w.bat" into its own text document "w.txt", the team was able to run a lengthy "sed” command against the file to reveal the below:

Image

The sed statement used to decode the body of "w.bat":

Image

EXFILTRATION THROUGH RECLONE

Once the file server was identified, an FTP connection was established to an external site. This was not used for C2 activities but only for receiving the exfiltrated data. Over the past several years, multiple cyber security firms and the FBI have posted increased observation of the use of “RClone” to exfil data. Suricata logs show that RClone was downloaded on the file servers in order to facilitate exfiltration of the logs.

Image

Suricata Flow log from "Subsidiary PIE" to the IP resolved for “Rclone”. This likely shows the connection containing the download of RCLONE.

Image

First connection on Subsidiary PIE to the external file dump:

Image

First connection on Construction PIE to the external file dump. (Other logs are available showing the DNS request and download of RClone for the Construction domain as well):

Image

ENCRYPTION VIA BLACK BASTA RANSOMWARE

Two file names were observed during the incident "Client_s.exe" and "Client.exe." It is expected that the different naming schemes are related to the different variations of the ransomware. Although no sample was able to be provided for Client.exe (which is believed to be the ESXi variant), Quadrant was able to obtain a copy of "Client_s.exe" for Windows hosts.

From a static malware analysis review, very little was initially able to be obtained from the sample aside from the ".basta" suffix and a relation to "Fax."

Image

Static analysis conducted inside of x32dbg, showing a relation to "FAX" and the potential use of the directory "ProgramData":

Image

Upon detonation, running the malware sets itself up as the service "Fax" and enables it to start during safe boot. The ransomware then proceeds to restart into safe mode using bcdedit.exe. BCDEdit is a command line program in windows which is used to modify the “Boot Configuration Data.” While in safe mode, the encryption of files occurs. Once the encryption is complete, the system is then restarted into the standard operating mode.

Image

Using the automated malware analyzer CAPEv2 allowed for the detection and capture of this JSON, which indicates the creation of a Mutex:

Image

Using the automated malware analyzer CAPEv2 allowed for the detection and capture of this JSON, which shows the addition of "Fax" to the registry allowing it to start in Safemode:

Image

Using the automated malware analyzer CAPEv2 allowed for the detection and capture of this JSON which shows the use of BCDEdit to restart the host into safemode with networking:

Image

Following infection, the host restarts into safe mode where the encryption action takes place:

Image

Following the encryption, the computer then restarts into standard mode. The background has been replaced to show "Your Network is Encrypted by the Black Basta group. Instruction in the file readme.txt" the only files still accessible to the user are the "readme" files.

Image

During the end state of the active compromise, two flags were observed in Clipboard logging, "-bomb" and "-forcepath". The writeups conducted by "Northwave-Security" and  "Deepinstinct" share more light onto these flags. These show that "bomb" designates a full detonation of all reachable hosts, and "forcepath" is for a specific instance or directory. According to the recent writeups above, this indicates that this is one of the newest renditions of the malware.

We are attempting to better understand the use of the "-bomb" flag and how it communicates with the other infected machines. It is likely that the reason the machine is restarted into safe mode with networking indicates that this communication may occur at this time.

INDEX A: INDICATORS OF COMPROMISE

FILE NAMES AND HASH VALUES

File Name	SHA-256 Hash
Claim_Copy_1796.iso	2cf56e6c050d0c9d8ada6cdb79a8ed2b8bbc25cd7d33ccc79aeedb31b5ad00df
damagesMeaning.js	7a39324822941014609f0fd7d05f1adbbccc3f36d79103e2589251680f3b6c63
centipede.gif	e8f5fa12faea9430645853fbb24ce46a5a62cb906168dd17b62d865ddfe201e3
DecomposedLoners.cmd	cd5b4bd824bad0be78e4cdf6d7fe8a950bd63f294713b8cb49de887d8a8410bc
excite.jpg	4fd4fdedb11b76a24fba289e0b3a8ed07261f98d279932420c7af779663605f8
sinkers.db	c4875bd0683467c1e5d44f80b1d5abf6ac9b6f5bf5b6750a1e653416a68ed006
Claim_Copy_5898.iso	474b800fa4f8c2638607b012029cb134b58534e7817fbf3658c9c1d8c78204fa
Claim_Copy.lnk	e2eb9029fd993a9ab386beb7ca4fa21a1871dc0c7568eb802cac1ea3c53cad8b
campus.txt	319704f093b71286985716d87c6fb20d6ddc334be6f1ccc042de8c73f7f5df36
centipede.gif	e8f5fa12faea9430645853fbb24ce46a5a62cb906168dd17b62d865ddfe201e3
clockwatcherMinty.js	14d53c3d675458863ee2b336a4203f680932181ff5db99bb2f1640ffd44947b5
excite.jpg	4fd4fdedb11b76a24fba289e0b3a8ed07261f98d279932420c7af779663605f8
meddled.db	4f7d97bf4803bf1b15c5bec85af3dc8b7619fe5cfe019f760c9a25b1650f4b7c
unspoolingPeak.cmd	4b3eb841b765c4aeb6b273e42a60e1f8ba3d3d94c613a27cd6446a354c2b7285
w.bat	4e54d7ed5055bc0e7858d49aaec17bd3ed69e8da94262c6a379ddd81abc31b5e
cc.bat	90e9bd336e51c88002e5e9a109c5fb0e57d2c90cd54d4bc7480b69fa302beb73
tox5.exe	d4dd79c97b091dd31791456c56d727eb0b30af9c0172dd221556d28495b8a50f
Client.exe	5b8bf891808be44f24156cf5430730e610c0df6eaaa4b062623a7a675d234b62
Cleint_s.exe	17eccc7e2ce38dafd41d68861da636d7c05290b95d4fd75ec87b819094702cf6
Zfgufgfvezdnbcvjkzctpvfdj.dll	62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967

 

HARDCODED IP'S OBSERVED FROM QAKBOT SAMPLES

IP	Port Observed	Country	AbuseIPDB Score
1.10.253.207	443	Thailand	0
2.89.78.130	993	Saudi Arabia	0
14.183.63.12	443	Viet Nam	0
27.73.215.46	32102	Viet Nam	0
31.166.116.171	443	Saudi Arabia	30
31.32.180.179	443	France	0
31.54.39.153	2078	United Kingdom	0
37.37.206.87	995	Kuwait	0
37.76.197.124	443	Palestine	0
41.103.226.172	443	Algeria	0
41.105.197.244	443	Algeria	0
41.107.78.223	995	Algeria	0
41.142.132.190	443	Morocco	0
41.69.103.179	995	Egypt	0
41.96.171.218	443	Algeria	0
45.160.124.211	995	Brazil	0
45.183.234.180	443	Brazil	0
45.241.140.181	995	Egypt	0
45.51.148.111	993	United States of America	0
46.116.229.16	443	Israel	0
46.186.216.41	32100	Kuwait	0
47.146.182.110	443	United States of America	0
61.105.45.244	443	Korea (Republic of)	0
61.70.29.53	443	Taiwan	0
62.114.193.186	995	Egypt	0
64.207.215.69	443	Afghanistan	0
66.181.164.43	443	Mongolia	0
68.129.232.158	443	United States of America	0
68.151.196.147	995	Canada	0
68.224.229.42	443	United States of America	0
68.50.190.55	443	United States of America	0
68.53.110.74	995	United States of America	0
70.49.33.200	2222	Canada	0
70.51.132.197	2222	Canada	0
70.81.121.237	2222	Canada	0
71.10.27.196	2222	United States of America	0
72.66.96.129	995	United States of America	0
72.88.245.71	443	United States of America	0
76.169.76.44	2222	United States of America	0
78.182.113.80	443	Turkey	0
81.214.220.237	443	Turkey	0
81.56.22.251	995	Italy	0
83.110.219.59	993	United Arab Emirates	0
84.238.253.171	443	Bulgaria	0
84.38.133.191	443	Netherlands	0
85.114.110.108	443	Palestine	0
85.139.203.42	32101	Portugal	0
85.98.206.165	995	Turkey	0
85.98.46.114	443	Turkey	0
87.220.229.164	2222	Spain	0
87.243.113.104	995	Bulgaria	0
87.75.195.211	443	United Kingdom	0
88.231.221.198	443	Turkey	0
88.231.221.198	995	Turkey	0
88.232.207.24	443	Turkey	0
88.242.228.16	53	Turkey	0
88.245.168.200	2222	Turkey	0
88.246.170.2	443	Turkey	0
88.251.38.53	443	Turkey	0
89.211.217.38	995	Qatar	0
89.211.223.138	2222	Qatar	0
91.116.160.252	443	Spain	0
94.99.110.157	995	Saudi Arabia	0
95.136.41.50	443	Portugal	0
98.180.234.228	443	United States of America	0
99.232.140.205	2222	Canada	0
99.253.251.74	443	Canada	0
100.1.5.250	995	United States of America	0
102.101.231.141	443	Morocco	0
102.184.151.194	995	Egypt	0
102.38.97.229	995	South Africa	0
102.40.236.32	995	Egypt	0
105.105.104.0	443	Algeria	0
105.111.60.60	995	Algeria	0
105.99.80.23	443	Algeria	0
109.155.5.164	993	United Kingdom	0
109.200.165.82	443	Yemen	0
110.4.255.247	443	Japan	0
113.22.102.155	443	Viet Nam	0
118.174.200.169	995	Thailand	0
118.216.99.232	443	Korea (Republic of)	0
118.68.220.199	443	Viet Nam	0
119.42.124.18	443	Thailand	0
119.82.111.158	443	India	0
123.240.131.1	443	Taiwan	1
134.35.9.144	443	Yemen	0
138.0.114.166	443	Brazil	0
139.195.132.210	2222	Indonesia	0
139.195.63.45	2222	Indonesia	0
141.164.254.35	443	Saudi Arabia	0
151.234.63.48	990	Iran (Islamic Republic of)	0
154.181.203.230	995	Egypt	0
154.238.151.197	995	Egypt	0
154.246.182.210	443	Algeria	0
156.213.107.29	995	Egypt	0
156.219.49.22	995	Egypt	0
160.152.135.188	2222	Nigeria	0
160.176.204.241	443	Morocco	0
167.60.82.242	995	Uruguay	0
169.1.47.111	443	South Africa	0
171.238.230.59	443	Viet Nam	0
171.248.157.128	995	Viet Nam	0
173.218.180.91	443	United States of America	0
176.42.245.2	995	Turkey	0
177.255.14.99	995	Colombia	0
179.108.32.195	443	Brazil	0
179.223.89.154	995	Brazil	0
179.24.245.193	995	Uruguay	0
180.180.131.95	443	Thailand	0
181.111.20.201	443	Argentina	0
181.118.183.123	443	Argentina	0
181.127.138.30	443	Paraguay	0
181.231.229.133	443	Argentina	0
181.56.125.32	443	Colombia	0
181.80.133.202	443	Argentina	0
181.81.116.144	443	Argentina	0
182.213.208.5	443	Korea (Republic of)	0
184.82.110.50	995	Thailand	0
184.99.123.118	443	United States of America	0
186.105.182.127	443	Chile	0
186.120.58.88	443	Dominican Republic	0
186.154.92.181	443	Colombia	0
186.167.249.206	443	Venezuela (Bolivarian Republic of)	0
186.50.245.74	995	Uruguay	0
187.205.222.100	443	Mexico	0
188.157.6.170	443	Hungary	0
189.19.189.222	32101	Brazil	0
190.158.58.236	443	Colombia	0
190.44.40.48	995	Chile	0
190.59.247.136	995	Trinidad and Tobago	0
191.254.74.89	32101	Brazil	0
191.84.204.214	995	Argentina	0
191.97.234.238	995	Argentina	0
193.3.19.37	443	Russian Federation	0
194.166.205.204	995	Austria	0
194.49.79.231	443	United States of America	0
196.112.34.71	443	Morocco	0
196.92.172.24	8443	Morocco	0
197.11.128.156	443	Tunisia	0
197.204.243.167	443	Algeria	0
197.49.50.44	443	Egypt	0
197.94.84.128	443	South Africa	0
201.177.163.176	443	Argentina	0
210.195.18.76	2222	Malaysia	0
211.248.176.4	443	Korea (Republic of)	0
212.156.51.194	443	Turkey	0
219.69.103.199	443	Taiwan	0
220.116.250.45	443	Korea (Republic of)	0

 

ADDITIONAL IP'S OBSERVED

IP	Domain	Country	Abuseipdb Score
23.106.123.13	NA	Singapore	0
23.106.160.141	danimos[.]com	United States of America	0
23.19.58.43	zedorocop[.]com	United Kingdom	0
23.29.115.172	NA	United States of America	0
45.132.226.209	NA	Switzerland	3
45.134.22.54	NA	Italy	0
45.153.241.64	NA	Germany	0
45.61.138.29	NA	United Kingdom	0
45.86.200.21	NA	Netherlands	0
45.86.200.77	NA	Netherlands	0
45.89.242.2	NA	United Kingdom	1
47.87.229.39	temp[.]sh	United States of America	0
64.52.80.212	NA	United States of America	0
78.141.213.249	NA	Netherlands	0
104.194.10.130	NA	United States of America	0
104.243.38.65	NA	United States of America	0
138.199.59.52	NA	Poland	0
146.70.106.61	NA	Netherlands	0
146.70.86.44	gerhiles[.]com	Netherlands	0
151.236.28.34	NA	Netherlands	0
172.93.100.71	NA	United States of America	0
176.10.80.37	NA	United Kingdom	0
176.90.193.145	NA	Turkey	0
185.163.110.124	NA	Romania	0
185.77.218.10	NA	Finland	0
194.37.97.161	NA	United States of America	0
194.5.53.215	NA	France	0
194.5.53.86	NA	France	0
207.229.167.36	NA	United States of America	100
212.30.37.227	NA	Netherlands	0

 

INDEX B: MALWARE ANALYSIS LAB AND TOOL OVERVIEW

The lab environment consisted of three Virtual Machines running inside of VMWare Workstation 16 Pro. The network was configured not to allow any connection to the internet.

HOST 1: ANALYSIS HOST

The analysis host ran the Linux distro "REMnux." Upon startup, an iptables setup script was ran containing all the hardcoded C2 IP’s for the Qakbot malware. This was done in order to all the malware to communicate with the hard coded IP’s without allowing commination to a C2 host.

Image

Additional software used during the analysis includes:

Wireshark: Network packet capture and analysis

Inetsim: An "Internet Simulation" tool which creates fake http and other services for malware samples to interact with.

FakeDNS: A fake DNS service which responds with a predetermined IP. Default IP is the host FakeDNS is installed on.

Readpe.py: Used to read Portable Executable files.

HOST 2: EXPERIMENTAL HOST

The experimental host rans Windows 10 build 19041. This host was used for detonation of the malware samples provided by the client.

NXlog is installed on this host. Windows logging is forwarded to Host 3.

Host 1 is configured to be the internet gateway. Aside from the logging connection to host 3, all other connections are forced through Host 1.

Additional software used during the analysis includes:

X32dbg: Interactive debugging program.

Regshot: Captures a "snapshot" of the registry before and after detonation of a sample to observe the changes on the host.

Wireshark: Network packet capture and analysis.

Qakbot Registry Decryption Tool: Used to decrypt Qakbot registry entries.

HOST 3: LOGGING HOST

The logging host runs Debian 11. This host only receives windows logging from Host 2.

Image

INDEX C: LIST OF SAGAN RULES DEVELOPED FROM THIS INCIDENT

Rules that were developed following this incident. A full list of Sagan Rules can be found on github.com/quadrantsec/sagan-rules

Rule Name	SID
[CISCO-SECUREENDPOINT] Exploit attempt was detected	5008352
[CISCO-SECUREENDPOINT] Exploit attempt was prevented	5008355
[CISCO-SECUREENDPOINT] Event Engine Detection	5008356
[WINDOWS-CLIPBOARD] Get-ADGroupMember Command	5008362
[WINDOWS-CLIPBOARD] Get-ADUser Command	5008363
[WINDOWS-CLIPBOARD] Service being stopped	5008364
[WINDOWS-CLIPBOARD] Powershell Policy Bypass Command	5008365
[WINDOWS-CLIPBOARD] Disable Windows Defender Command	5008366
[WINDOWS-CLIPBOARD] Disable Realtime Monitoring Command	5008367
[WINDOWS-CLIPBOARD] Uninstall Windows Defender Command	5008368
[WINDOWS-CLIPBOARD] Remoe-exec psexec command	5008369
[WINDOWS-CLIPBOARD] Powershell encodedcommand	5008370
[WINDOWS-CLIPBOARD] rundll32 command	5008371
[WINDOWS-CLIPBOARD] rundll32 command with DllRegisterServer	5008372
[WINDOWS-CLIPBOARD] net commands	5008373
[WINDOWS-CLIPBOARD] net commands	5008374
[WINDOWS-CLIPBOARD] query user command	5008375
[WINDOWS-CLIPBOARD] rwinsta command	5008376
[WINDOWS-CLIPBOARD] nltest command	5008377
[WINDOWS-CLIPBOARD] netstat output v1	5008378
[WINDOWS-CLIPBOARD] netstat output v2	5008379
[WINDOWS-CLIPBOARD] copy from share drive to local C: command	5008380
[WINDOWS-CLIPBOARD] bitsadmin file transfer command	5008381
[WINDOWS-CLIPBOARD] proxychains command	5008382
[WINDOWS-SECURITY] Service being stopped by net command v1	5008343
[WINDOWS-SECURITY] Service being stopped by net command v2	5008344
[WINDOWS-SECURITY] Disable Windows Security	5008347
[WINDOWS-SECURITY] Copied rundll32 command executing non-standard dll	5008348
[WINDOWS-SECURITY] Possible UAC Bypass - Rundll32.exe using DLLRegister	5008351
[WINDOWS-SECURITY] Exfil software rclone detected	5008354
[WINDOWS-SECURITY] A service was installed in the system (powershell)	5008357
[WINDOWS-SECURITY] A service was installed in the system (DllRegisterServer)	5008358
[WINDOWS-SECURITY] A service was installed in the system (rundll32 .xls)	5008359
[WINDOWS-SECURITY] A service was installed in the system (rundll32 public directory)	5008360
[WINDOWS-SECURITY] Blackbasta ransomware file extension detected (.basta)	5008361
[WINDOWS-SYSMON] CMD executed from spool directory	5008345
[WINDOWS-SYSMON] Rundll32 network connection detected	5008346
[WINDOWS-SYSMON] Possible Traversal - File created in Public directory	5008349
[WINDOWS-SYSMON] Possible hidden service installed	5008350
[WINDOWS-SYSMON] Process Injection - Rundll32 remote thread into winlogon	5008353
[WINDOWS-SYSMON] Safeboot Registry Entry - Possible Blackbasta	5008399

 

INDEX D: REFERENCES

-Deepinstinct’s review of similar Black Bast activity
https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence

-Northwaves review of similar Black Basta activity to include the use of Qbot and Ransomware
https://northwave-security.com/en/black-basta-blog/

-VirusTotal results for the file has of zfgufgfvezdnbcvjkzctpvfdj.dll, indicating Brute Ratel
https://www.virustotal.com/gui/file/62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967

-Brute Ratel and the use of PSEexc showing use of SMB for Remote Control:
https://bruteratel.com/tabs/badger/commands/psexec/

-Brute Ratel and RPC Services:
https://bruteratel.com/tabs/badger/commands/services/

-Recent warning regarding use of RCLONE by threat actors "Daixin Team"
https://www.cisa.gov/uscert/ncas/alerts/aa22-294a

-Qakbot Registry Decryption Tool
https://github.com/drole/qakbot-registry-decrypt

-Cybercheif recipe to extract and decode Shellcode from Bobal Strike Beacon
https://gist.github.com/0xtornado/69d12572520122cb9bddc2d6793d97ab

-Decoding of files similar to "w.bat"
https://superuser.com/questions/1676713/how-to-decode-contents-of-a-batch-file-with-chinese-characters

-Quadrant’s Github page for the Sagan Log Analysis Engine
https://github.com/quadrantsec/sagan-rules

For more information regarding this analysis interested parties should contact cclark@quadrantsec.com